fix(audit): 修复深度审计发现的 P0/P1 问题 (8项)

基于 DEEP_AUDIT_REPORT.md 修复 2 CRITICAL + 4 HIGH + 1 MEDIUM 问题:

- C1: PromptOnly 技能集成 LLM 调用 — 定义 LlmCompleter trait，
  通过 LlmDriverAdapter 桥接 zclaw_runtime::LlmDriver，
  PromptOnlySkill.execute() 现在调用 LLM 生成内容
- C2: 反思引擎空记忆 bug — 新增 query_memories_for_reflection()
  从 VikingStorage 查询真实记忆传入 reflect()
- H7: Agent Store 接口适配 — KernelClient 添加 listClones/createClone/
  deleteClone/updateClone 方法，映射到 agent_* 命令
- H8: Hand 审批检查 — hand_execute 执行前检查 needs_approval，
  需审批返回 pending_approval 状态
- M1: 幽灵命令注册 — 注册 hand_get/hand_run_status/hand_run_list
  三个 Tauri 桩命令
- H1/H2: SpeechHand/TwitterHand 添加 demo 标签
- H5: 归档过时 VERIFICATION_REPORT

文档更新: DEEP_AUDIT_REPORT.md 标记修复状态，README.md 更新
关键指标和变更历史。整体完成度从 ~50% 提升至 ~58%。

desktop/src-tauri/src/intelligence_hooks.rs

@@ -9,7 +9,7 @@ use tracing::debug;
 
 use crate::intelligence::identity::IdentityManagerState;
 use crate::intelligence::heartbeat::HeartbeatEngineState;
-use crate::intelligence::reflection::ReflectionEngineState;
+use crate::intelligence::reflection::{MemoryEntryForAnalysis, ReflectionEngineState};
 
 /// Run pre-conversation intelligence hooks
 ///
@@ -40,6 +40,7 @@ pub async fn pre_conversation_hook(
 /// 2. Record conversation for reflection engine, trigger reflection if needed
 pub async fn post_conversation_hook(
     agent_id: &str,
+    _user_message: &str,
     _heartbeat_state: &HeartbeatEngineState,
     reflection_state: &ReflectionEngineState,
 ) {
@@ -48,7 +49,6 @@ pub async fn post_conversation_hook(
     debug!("[intelligence_hooks] Recorded interaction for agent: {}", agent_id);
 
     // Step 2: Record conversation for reflection
-    // tokio::sync::Mutex::lock() returns MutexGuard directly (panics on poison)
     let mut engine = reflection_state.lock().await;
 
     engine.record_conversation();
@@ -62,7 +62,17 @@ pub async fn post_conversation_hook(
             "[intelligence_hooks] Reflection threshold reached for agent: {}",
             agent_id
         );
-        let reflection_result = engine.reflect(agent_id, &[]);
+
+        // Query actual memories from VikingStorage for reflection analysis
+        let memories = query_memories_for_reflection(agent_id).await
+            .unwrap_or_default();
+
+        debug!(
+            "[intelligence_hooks] Fetched {} memories for reflection",
+            memories.len()
+        );
+
+        let reflection_result = engine.reflect(agent_id, &memories);
         debug!(
             "[intelligence_hooks] Reflection completed: {} patterns, {} suggestions",
             reflection_result.patterns.len(),
@@ -151,3 +161,38 @@ async fn build_identity_prompt(
 
     Ok(prompt)
 }
+
+/// Query agent memories from VikingStorage and convert to MemoryEntryForAnalysis
+/// for the reflection engine.
+///
+/// Fetches up to 50 recent memories scoped to the given agent, without token
+/// truncation (unlike build_memory_context which is size-limited for prompts).
+async fn query_memories_for_reflection(
+    agent_id: &str,
+) -> Result<Vec<MemoryEntryForAnalysis>, String> {
+    let storage = crate::viking_commands::get_storage().await?;
+
+    let options = zclaw_growth::FindOptions {
+        scope: Some(format!("agent://{}", agent_id)),
+        limit: Some(50),
+        min_similarity: Some(0.0), // Fetch all, no similarity filter
+    };
+
+    let results: Vec<zclaw_growth::MemoryEntry> =
+        zclaw_growth::VikingStorage::find(storage.as_ref(), "", options)
+            .await
+            .map_err(|e| format!("Memory query for reflection failed: {}", e))?;
+
+    let memories: Vec<MemoryEntryForAnalysis> = results
+        .into_iter()
+        .map(|entry| MemoryEntryForAnalysis {
+            memory_type: entry.memory_type.to_string(),
+            content: entry.content,
+            importance: entry.importance as usize,
+            access_count: entry.access_count as usize,
+            tags: entry.keywords,
+        })
+        .collect();
+
+    Ok(memories)
+}